RoleManagement.ReadWrite.Exchange
Allows the app to read and manage the role-based access control (RBAC) settings for your organization's Exchange Online service, without a signed-in user. This includes reading, creating, updating, and deleting Exchange management role definitions, role groups, role group membership, role assignments, management scopes, and role assignment policies.
Permission Details
Read and write Exchange Online RBAC configuration
Allows the app to read and manage the role-based access control (RBAC) settings for your organization's Exchange Online service, without a signed-in user. This includes reading, creating, updating, and deleting Exchange management role definitions, role groups, role group membership, role assignments, management scopes, and role assignment policies.
025d3225-3f02-4882-b4c0-cd5b541a4e80
Read and write Exchange Online RBAC configuration
Allows the app to read and manage the role-based access control (RBAC) settings for your organization's Exchange Online service, on behalf of the signed-in user. This includes reading, creating, updating, and deleting Exchange management role definitions, role groups, role group membership, role assignments, management scopes, and role assignment policies.
c1499fe0-52b1-4b22-bed2-7a244e0e879f
Properties
Properties is shown from stable Microsoft Graph v1.0 metadata.
| Property | Type | Description |
|---|---|---|
directory |
object |
|
entitlementManagement |
object |
Container for roles and assignments for entitlement management resources. |
JSON Representation
JSON representation is shown from stable Microsoft Graph v1.0 metadata.
{
"@odata.type": "#microsoft.graph.roleManagement"
}Relationships
Relationships is shown from stable Microsoft Graph v1.0 metadata.
| Relationship | Type | Description |
|---|---|---|
directory |
rbacApplication |
Read-only. Nullable. |
entitlementManagement |
rbacApplication |
Container for roles and assignments for entitlement management resources. |
enterpriseApps |
rbacApplication collection |
Related enterpriseApps data exposed by this resource. |
Graph Methods
Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
No API methods available for this version.
Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
No deterministic PowerShell command map is available for this permission.
Browse PowerShell docsMicrosoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
Code Examples
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new CustomAppScope
{
Type = "RecipientScope",
DisplayName = "Protected Exec Users",
CustomAttributes = new CustomAppScopeAttributesDictionary
{
AdditionalData = new Dictionary<string, object>
{
{
"Exclusive" , false
},
{
"RecipientFilter" , "Title -like 'VP*'"
},
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.RoleManagement.Exchange.CustomAppScopes.PostAsync(requestBody);const options = {
authProvider,
};
const client = Client.init(options);
const customAppScope = {
type: 'RecipientScope',
displayName: 'Protected Exec Users',
customAttributes: {
Exclusive: false,
RecipientFilter: 'Title -like \'VP*\''
}
};
await client.api('/roleManagement/exchange/customAppScopes')
.version('beta')
.post(customAppScope);Import-Module Microsoft.Graph.Beta.DeviceManagement.Enrollment
$params = @{
type = "RecipientScope"
displayName = "Protected Exec Users"
customAttributes = @{
Exclusive = $false
RecipientFilter = "Title -like 'VP*'"
}
}
New-MgBetaRoleManagementExchangeCustomAppScope -BodyParameter $params# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.custom_app_scope import CustomAppScope
from msgraph_beta.generated.models.custom_app_scope_attributes_dictionary import CustomAppScopeAttributesDictionary
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = CustomAppScope(
type = "RecipientScope",
display_name = "Protected Exec Users",
custom_attributes = CustomAppScopeAttributesDictionary(
additional_data = {
"exclusive" : False,
"recipient_filter" : "Title -like 'VP*'",
}
),
)
result = await graph_client.role_management.exchange.custom_app_scopes.post(request_body)App Registration
Navigate to Azure Portal
Go to App registrations in Microsoft Entra admin center
Add API Permission
Select your app → API permissions → Add a permission → Microsoft Graph
Select Permission Type
Choose Application permissions or delegated permissions and search for RoleManagement.ReadWrite.Exchange
Grant Admin Consent
Application permissions always require admin consent.